[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lack of boot-time entropy on arm64 ec2 instances

On Thu, Jan 09, 2020 at 01:11:41AM +0000, Luca Filipozzi wrote:
> (It's not like RNG quaility is a new problem... why didn't
> virtualization approaches include host-to-guest RNG passthrough from the
> beginning?)

Virtio-rng has been around since 2008 (over a decade), and it provides
specifically the host-to-guest RNG passthrough that you've mentioned.
Qemu supports it, as does GCE.  I'm a little surprised to find out
that AWS doesn't support virtio-rng; I thought it did, but I just ran
a quick experiment, and it appears I was wrong.  The Debian cloud
kernel doesn't appear to enable CONFIG_HW_RANDOM or
CONFIG_HW_RANDOM_VIRTIO --- boo, hiss --- but the Ubuntu kernel does,
and so I booted an AWS VM with Ubuntu.  I tried loading the virtio-rng
module, and it didn't show up in /sys/class/misc/hw_random/rng_available.

What you will find on GCE VM if you have a Linux kernel configured
correctly to support virtio-rng.

root@xfstests:~# dmidecode -s system-product-name
Google Compute Engine
root@xfstests:~# cat /sys/class/misc/hw_random/rng_available 
virtio_rng.0 tpm-rng-0 
root@xfstests:~# cat /sys/class/misc/hw_random/rng_current

With newer kernels, virtio-rng will automatically be used to
initialize the CRNG, as well as provide continuous entropy to
/dev/random, for those people, or companies, or Payment Card Industry
(PCI) compliance labs, who have some irrational need for "True
Randomness" (whatever the hell that means).

Now, I happen to work at Google (in fact, I was one of the people who
pushed for virtio-rng in GCE), so the argument can be made that I'm
being biased, but QEMU's support of virtio-rng support long predates
GCE's support of virtio-rng by many, many years.  I'd encourage those
of you who are in position to make Amazon listen to get with the
program and support virtio-rng.  :-)

						- Ted

P.S.  The above experiment in GCE was done using kernel built using a
defconfig for 5.4+ kernels (copy to .config and run "make
olddefconfig).  For kernels between 4.19 and 5.3 inclusive, use [2].
These kernel configs are minimal configs optimized for file system
testing using gce-xfstests[3] and kvm-xfstests, but some folks might
find it useful.  The kvm-xfstests framework is also useful for testing
kernel configs for randomness.  (Compare "kvm-xfstests shell" with and
without "--no-virtio-rng".)

[1] https://github.com/tytso/xfstests-bld/blob/master/kernel-configs/x86_64-config-4.19
[2] https://github.com/tytso/xfstests-bld/blob/master/kernel-configs/x86_64-config-5.4
[3] https://thunk.org/gce-xfstests

Reply to: